Alerts Tab:
Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
Alerts for this Request
RADIUS
PAP: CLEAR TEXT password check failed
Access Tracker Auth Window:
Service:
HomeNet - Cloud Identity - Social Media Authentication
Authentication Method: PAP
Authentication Source: Local:localhost
Authorization Source: [Endpoints Repository], [Social Login Repository]
Roles: [Employee], google
Enforcement Profiles: [Deny Access Profile]
Service Monitor Mode:
Disabled
Online Status:
Not Available
Here are the DEBUG logs from the Access Tracker.
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "HomeNet - Cloud Identity - Social Media Authentication"
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_service: svcreq_list_add Service-State = 0x00e2006e00cb00d4c2130100087bbae5b5448b9f59a712624f9aff2c, Session-Id = "R000003b8-01-5ddbee53"
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "service" returns ok for request 70594
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: leaving group authorize (returns ok) for request 70594
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - Found Autz-Type svc_HomeNet - Cloud Identity - Social Media Authentication_3146
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - Processing the authorize section of radiusd.conf
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: entering group svc_HomeNet - Cloud Identity - Social Media Authentication_3146 for request 70594
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: entering group for request 70594
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - rlm_sql: searching for user z******@gmail.com in Local:localhost
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - radius_xlat: Running registered xlat function of module Connection for string 'Client-Mac-Address-NoDelim'
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - radius_xlat: 'SELECT te.attributes->>'social_method' AS SP FROM tips_endpoints as te WHERE te.mac_address = LOWER('2C6FC95CE9A4') and jsonb_exists_all(te.attributes, '{social_method}')'
2019-11-25 09:08:03,501 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql (authsrc_10): Reserving sql socket id: 31
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql: The number of fields: 1.
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql: Coulmn label sp
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] ERROR RadiusServer.Radius - rlm_sql (authsrc_10): Error parsing data from database
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] ERROR RadiusServer.Radius - rlm_sql (authsrc_10): SQL query error; rejecting user
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql (authsrc_10): Released sql socket id: 31
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "authsrc_10" returns fail for request 70594
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - rlm_sql: searching for user z*****@gmail.com in Local:localhost
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - radius_xlat: Running registered xlat function of module Connection for string 'Client-Mac-Address-NoDelim'
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - radius_xlat: 'SELECT mac_address AS User_Password FROM tips_endpoints WHERE mac_address = LOWER('2C6FC95CE9A4') AND status = 'Known''
2019-11-25 09:08:03,502 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql (authsrc_4): Reserving sql socket id: 31
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql: The number of fields: 1.
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql: Coulmn label user_password
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql (authsrc_4): User z*****@gmail.com found
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql (authsrc_4): Released sql socket id: 31
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - rlm_sql: found user z******@gmail.com in Local:localhost
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_sql: Adding Persisted-User-Name z*****@gmail.com to persistent items
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG StatsDClient.StatsClient - Formatted StatsD data=default.Clearpass01.radius.auth._Endpoints_Repository_.lookup-time:1|ms
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG StatsDClient.StatsClient - Sending StatsD request=default.Clearpass01.radius.auth._Endpoints_Repository_.lookup-time:1|ms
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - SQL User lookup time = 1 ms
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG StatsDClient.StatsClient - Formatted StatsD data=default.Clearpass01.radius.auth.time:1|ms
2019-11-25 09:08:03,503 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG StatsDClient.StatsClient - Sending StatsD request=default.Clearpass01.radius.auth.time:1|ms
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "authsrc_4" returns ok for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: leaving group (returns ok) for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3146_authmthd_2" returns noop for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3146_authmthd_6" returns noop for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_pap: Login attempt by "z*****@gmail.com". Setting Auth-Type to "svc_3146_authmthd_1".
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3146_authmthd_1" returns ok for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_auth_check: Allowed authentication methods: svc_3146_authmthd_2, svc_3146_authmthd_6, svc_3146_authmthd_1
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - radius: No MS Identity VP
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_auth_check: allowed Authentication method svc_3146_authmthd_1 set.
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3146_auth_check" returns ok for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: leaving group svc_HomeNet - Cloud Identity - Social Media Authentication_3146 (returns ok) for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rad_check_password: Found Auth-Type svc_3146_authmthd_1
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - auth: type "svc_3146_authmthd_1"
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - Processing the authenticate section of radiusd.conf
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: entering group svc_3146_authmthd_1 for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] INFO RadiusServer.Radius - rlm_pap: authenticating User z*****@gmail.com
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - rlm_pap: Using clear text password.
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] ERROR RadiusServer.Radius - rlm_pap: User z******@gmail.com authentication failed
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcallauthenticate]: module "svc_3146_authmthd_1" returns reject for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: leaving group svc_3146_authmthd_1 (returns reject) for request 70594
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - auth: Failed to validate the user.
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - Found Post-Auth-Type
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - Processing the post-auth section of radiusd.conf
2019-11-25 09:08:03,504 [Th 88 Req 70594 SessId R000003b8-01-5ddbee53] DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 70594
So, from what I can tell, it finds the "social_method", username, and "User_Password" from the query, but it dies when it "compares" it to the one returned from oAuth?
Auth source in the service is set to Social and Endpoint repositories.
Guest Application log for Oauth:
Client: 172.16.0.13:50819
Script: /guest/guestReg_login.php
Function: OnPageExecute
Arguments: array (
'mac_address' => '2c6fc95ce9a4',
'social_method' => 'google',
'social_username' => 'z*****@gmail.com',
'social_password' => 'wDafBF6fpBwMwONm/r*****************',
'social_timestamp' => 1574694477,
'social_vip' => false,
'social_args' => '{"page_name":"guestReg"}',
'social_json' => '{"id":"107504947******","email":"z*****@gmail.com","verified_email":true,"name":"Z*** *******","given_name":"Z****","family_name":"E******","picture":"https:\/\/lh3.googleusercontent.com\/a-\/AAuE7mCpU9dgt8VCPWf2lC0kfjTkw*************","locale":"en"}',
)
Details: array (
'error' => 0,
)
Do you think this could have anything to do with 2FA that is enabled on my Google account? It shouldn't, but I'm beating my head against a wall at this point.